Packet classification is the process of finding the highest priority rule that matches the packet. Rules specify the fields of the packet that should be matched e.g., source address, destination address, etc. With the advent of network virtualization and distributed firewall, the rules no longer point to addresses but points to a container which in turn points to a set of addresses. Most of the current literature deals with optimizing the classification for rules which point at addresses directly. None of them directly deal with optimizing rules that point at containers.
There are some possible methods to deal with container-based rules. One possible method is to enumerate the rules for the containers it points to. For example, if the container “Web-Cont” has 100 addresses and the container “App-Cont” has 100 addresses, one would add 10000 rules for every source-destination address pair. Another possible method is to lookup the containers for each container-based rule when determining whether the rule is a match for the incoming packet. However, since there could be many container-based rules for implementing the firewall, looking up containers for every rule would make the search for matching rules extremely slow.
Furthermore, since each rule in the firewall is associated with a priority number, one must examine the rules sequentially. One cannot skip examining any rule without knowing whether the skipped rule is a match for the incoming packet or not.